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METHOD AND APPARATUS FOR FIG. 3 is a flow diagram of the operation of the server 

SOFTWARE LICENSING ELECTRONICALLY system in receiving the request of the client system and 

DISTRIBUTED PROGRAMS generating a registration key for the software on the client 

system. 

BACKGROUND OF THE INVENTION 5 F IG. 4 is a flow diagram of the operation of the client 

1 Field of the Invention system after it has received the registration key for the 

software 

The present invention relates to the field of use of com- 
puter software registration. More particularly, the present DETAILED DESCRIPTION OF THE 
invention relates to secure registration of computer software, INVENTION 

2. Description of Related Art The presen( invention provides a method ^6 apparatus 

The use of wide-area-networks such as the Internet to f or distributing software licenses. For purposes of 

distribute software has become a very popular way to explanation, specific embodiments are set forth to provide a 

distribute software. The software can be programmed to thorough understanding of the present invention. However, 

be— until a license is purchased— either fully functional for 15 i t will be understood by one skilled in the art, from reading 

a "trial period" of a certain duration, or partially functional. this disclosure, that the invention may be practiced without 

Providing potential customers the ability to download func- tnese details. Further, although the present invention is 

tional versions of a particular software allows access to an described through the use of software distribution over the 

audience base that is limited only by the means of distribu- Internet, most, if not all, aspects of the invention apply to 

tion (e.g., the size of the audience which has access to the 2 ° software distribution in general. Moreover, well-known 

Internet). elements, devices, process steps and the like are not set forth 

In addition, using networks to distribute demonstration or in detail in order to avoid obscuring the present invention, 

"demo" software is cost effective for the software company, Through the use of public key cryptography, one-way 

as the company does not need to first place the demo hash functions and unique machine identification, software 

software onto a distribution medium such as floppy disks or 2 registration is provided which is individualized to a particu- 

compact disk read-only-memory (CD-ROM) disks. lar computer. Thus, software registration is "locked-in" to a 

Moreover, the company does not have to create or pay for particular computer and cannot be used on another 

packaging, nor maintain an inventory. The cost saving is computer — preventing the sharing of key codes, 

especially beneficial in helping companies save marketing In order t0 describe this system 0 f software distribution, . 

funds, which can be invested in other programs. explanation is first provided below for public key V 

However, these cost savings disappear when the company cryptography, one-way hash functions and unique machine 

has to ensure that customers who download the software pay identification, 

for the software. Companies which put functionally limited Public Key Cryptography 

versions of their software on the network requires a cus- 35 Public key cryptography provides the ability for two 

tomer to send in payment for the software before the parties to send information securely between themselves, 

customer is sent a fully functional version. These companies Unlike symmetrical cryptography, which requires a shared 

must maintain a stock of packaged software, exactly the secret key, public key cryptography uses one key, a "public" 

problem that a network-based distribution method attempts key, to encode information and another complementary key, 

to solve. 40 a "private key" to decode encrypted information. The secu- 

Companies which put a time limit or other restrictions on rity of the system lies in the method used to create the key 

their software require the customer to pay for a license pair and the belief that it is very difficult to determine the 

before the customer is sent a "key code". The key code is private key from the public key. 

entered into the program, which then unlocks any restric- In use, a user publishes the public key and keeps the 

tions. The problem associated with this scheme is that the 45 private key secret. Parties wishing to send a message to the 

same key code can be used for any copy of the software, so user encrypt the message with the user's published public 

multiple individuals can unlock the irrespective copies of the key and send it to the user. Upon receiving the encrypted 

software by simply purchasing one license and distributing message, the user decrypts the message with the user's 

the received key code amongst themselves. private key, thereby recovering the original message. 

Thus, it would be preferrable to have a software distri- 50 ^ user caD also "^S 0 " a document by using the user's 

bution scheme that overcomes the problems associated with P rivate ke y* ^ user woul(i encrypt the message with the 

these methods. private key, and other parties would decrypt the message 

with the user's public key. Only documents encrypted with 

SUMMARY OF THE INVENTION the user's private key will be intelligible when decrypted 

55 with the user's public key. 

A method including the steps of receiving a registration Mathematically, encryption is represented by: 
identifier for a client; generating a registration key based on 
the registration identifier; and transmitting the registration 

key to the client. c-E kl (M) 

BRIEF DESCRIPTION OF THE DRAWINGS 60 and decr yP tion & 

FIG. 1 is a block diagram of a client system and a vendor 

system configured in accordance to a preferred embodiment m-d^C), 

of the present invention. where M is the original message, C is the encrypted 

FIG. 2 is a flow diagram of the operation of the client 65 message, kl is the public key, k2 is the private key, E0 is the 

system for initiating a request for registration of a software encryption function and DO is the decryption function. For 

license. signing of documents, the keys used would be reversed. 
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One- Way Hash Functions Equality test procedure 70 is used to verify that the 

A one-way hash function is a function which cannot be decrypted version of the registration key stored in regjstra- 

easily reversed. Specifically, given an input, an output is ^on storage unit 68 is equivalent to the one-way hashed 

easy to generate, but given the output, the input is practically value of machine unia^ue identifier (U) 58, as generated by ^ 

; m ^«;Ki,> t rt ' ^tt^t Ai Crt ,X ' ™,,™,t w uL c hash function H(U) 60. Equality test procedure 70 is inter- ^ 

P h £ w? 5 faced with software 72 to enable/disable functionality of 

very difficult to generate input data which hashes to the software n based Qn the t of ^ test p[0CQ J duTC 

output value. One-way hash functions can output more, less, as ^5^55^ below 

or the same amount of information (e.g., number of bits) Continuing to refer to FIG. 1, vendor system 80 contains 

from a given input. To be useful, the hash function should a network adapter 82 which is used to communicate with 

return practically unique values for a given input. Usually, 10 network adapter 54 of client system 50 through a network*' 

the hash values have less information than the input data. 96. Network 96 can be a general purpose network such as the 

One-way hash functions are useful in constructing "sig- Internet or a local- area -network containing two or more 

natures" of documents. For example, if user A has a systems. 

document, and user B wants to prove to user A that he has Vendor system 80 also contains a CPU 84, which can be ^ 

the same document, user B can run an agreed upon one-way is a general purpose processor, coupled to network adapter 82. 

hash function and send the result to user A, who can run the 11 * t0 be noted that CTU 84 and 9 PU . 52 of client s y slem 

same one-way hash function and compare hash values. If 50 A c f n also ^ custom integrated circuits, 

they match, user A has strong evidence that user B has a M *> ™ U P^ t0 ad f cr 82 and J PU 84 % a 

copy of the same document. ""P 0 * ««■ Memory 86 of vendor system and memory 56 ^ 

\i „ 4 , , , t . j < _ of client system 50 can also be general purpose data storage v 

Mathematically, the hash function is represented by: 20 devices 0 / custom dala storage B de vice£ such as integrated 

circuits and can be built into CPU 84 of vendor system 80 

5=//(M) and CPU 52 of client system 50, respectively. 

Memory 86 of vendor system 80 contains a decryption 
where M is the original message, HO is the one-way hash procedure D^O 88; a registration number generator 90; and 
function, and S is the signature of the message. 25 encryption procedure E*0 92, and secret key 94. 
Unique Machine Identification Decryption procedure 88 is functionally equivalent 
Modern operating systems support remote procedure calls to decryption procedure D^0 66 of client system 50. 
(RPC), which requires a unique method of identifying each Similarly, encryption procedure E/) 92 is functionally simi- 
machine on a network. Thus, most operating systems lar to encryption procedure E^O 64 of client system 50. 
include a way of generating universal unique identifiers 30 However, vendor system 80 will use secret key 94 and 
(UUID), which are unique in time and space. These UUID's decryption procedure D*0 88 to decrypt the messages gen- 
have a well defined layout and have preallocated portions for erated by encryption procedure E^O 64 of client system 50 
location information, time information, and user defined (chent system 50 using public key K p ). Also, vendor system 
information. Every UUID created on a particular machine 80 wil1 ke Y K * 94 in encryption procedure E^O 92 
will have the same values for the location bits. Therefore, 35 to authenticate messages which are sent to decryption pro- 
these bits can be used to uniquely identify a particular cedure D^O 66 of client system 50 

machine Registration number generator 90 is used to venfy user 

Software Re istration payment information CC which is received from client 

r-i^ t • li \ j- c i* . . ert i system 50. After payment is made, registration number 

FIG. 1 is a block diagram of a client system 50 and a . .,, „ llrt „, , _ on n „ • 

° , . / . , generator will allow vendor system 80 to generate a regis- 

vendor system 80 configured in accordance with one 40 t rat j on ^ey 

embodiment of the present invention. A first dotted line 97 ^ used t0 logically repre sent the 

diem 50 contains a CPU 52, which is a general purpose mding of data from encryption procedure E*0 64 of client 

processor, coupled to a network adapter 54. Also coupled to system 50 to decryption procedure D*0 88 of vendor system 

network adapter 54 and CPU 52 is a memory 56, which go, while a second dotted line 98 is used to logically 

stores the data and procedures which CPU 52 uses to 45 represent the sending of encryption procedure E*0 92 of 

operate. vendor system 80 to registration storage unit 68 of client 

Memory 56 of client system 50 contains a machine unique system 50. The actual data is sent over network 96 through 

identifier U 58; a hash function H(U) 60; a public key Kp 62; the use of network adapter 54 and network adapter 82. 

an encryption procedure E^O 64; a decryption procedure It is to be noted that although software 70 is shown to be 

D*0 66; a registration storage unit 68; an equality test 50 a separate functional block in FIG. 1, in alternate 

procedure 70 and software 72. embodiments, software 70 contains any combination of the 

As discussed above, machine unique identifier U 58 is a functional and storage elements contained in memory 56 of 

number that is unique to client system 50, and the size of client system 50. 

machine unique identifier U 58 can be of any length, as FIG - 2 is a flow diagram of the operation of the software 

generated by client system 50. 55 registration system, as shown in FIG. 1, where the user 

Also, as discussed above, encryption procedure E^ 64 de * lde * product " P A 

„ A ^ i n A ^ /f ttca A t~ ~„r.„,*> nn A In block 100, client system 50 first determines machine 

decryption procedure DJ) 66 are used to encrypt and . 4 . c ' TI _„ ' . . . . • 

, , . 'ac unique identifier U 58. As noted above, machine unique 

decrypt, respectively, messages which are received from vsftisustd , 0 uniquely identify client system H 5 0 

Ve ^L S ^i S j -t. • jr./x^^ and is generated by using a built-in function of the operating 

Public key Kp is used with encryption procedure E^ 64 60 tem ^ machine uni idemifier y 5g fc determined) 

to create an encrypted version of a one-way hashed machine cliem system 50 creales a one . way hashed version of 

unique identifier U 58, as described below. Public Key K p 62 machine unique identifier U using hash function H(U) 60. 

is also used with decryption procedure D*0 66 to authenti- xh e generation of the one-way hashed version of the 

cate any registration keys received from vendor system 80. machine unique identifier in block 100 provides a practically 

Registration storage unit 68 is used to store the registra- 65 unique registration code which does not allow the vendor 

tion key received from vendor system 80 for enabling access to any sensitive machine information, such as the 

features of software 72. network card ID number. The use of one-way hash function 
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H(U) allows the registration identifier to be a fixed size, In block 116, vendor system 80 will transmit registration 
independent of how many bits of information are available key (T) to client system 50. As stated above, as registration 
in machine unique identifier U 58. A fixed size registration key (T) is an encrypted value of the one-way hashed value 
identified is useful for multi-platform products as each type of machine unique identifier U 58, registration key (T) can 
of platform may have a different number of location specific 5 be transmitted using any means, whether it is secure or 
bits in the UUID. unsecure. 

In block 102, client system 50 receives user payment and Further, as registration key (T) is specific for client system 

other transaction specific information (CC). This is infor- 50 and cannot be used by another system, the security of the 
mation appended to the one-way hashed version of the key system can be compromised and the protection provided 
machine unique identifier and is whatever transaction spe- by the system would still remain. 

cific information the vendor requires, such as the user's FIG. 4 illustrates the operation of client system 50 after 
name and credit card number. client system 50 has received registration key (T). 

In block 104, client system 50 generates a registration In block 120, client system 50 will store registration key 

identifier R by using this formula: (T) in registration storage unit 68 so that it can be accessed 

when needed. When software 72 needs to expose or hide 
15 functionality based on the registration status, the current key 
M-H{U)¥CC i oac j ec j from this location, decrypted, and checked for 

correctness as discussed in block 122. Also, the next time 
software 72 runs or needs to decide if software 72 is a 



R«E kp (M) 



where H( ) is hash function 60; U is machine unique registered copy, client system 50 will go to block 122, 

identifier 58; CC is private, transaction specific information, 20 In block 122, equality test procedure 70 of client system 

such as the user's name and credit card number; M is the 50 ^ determine if registration key (T) comes from vendor 

one-way hashed machine unique identifier with private user system 80 by checking to see if the following holds true: 

data appended (i.e., the "message"); ) is encryption 

procedure 64; k^ is the published, public key; 62 and R is the D^ty^U) 

generated registration identifier. As this information is 25 

encrypted using the published public key (Kp), it can only where: ) is decryption procedure 88; k p is the published, 

be decrypted and read by vendor system 80 with the private public key 62; H( ) is the one-way hash function 60; U is 

key (KJ. machine unique identifier 58; and T is the registration key. 

In block 106, the registration identifier (R) is transmitted If the equality holds true, then operation will continue 

to vendor system 80. This can be done automatically by 30 with block 124. Otherwise, operation will continue with 

software 72, which is contained on client system 50 over the block 126. 

Internet, or a text representation of the registration identifier In block 124, client system 50 will allow any functionality 

(R) can be generated and sent to the vendor to be processed in software 72 that was previously disabled, 

on vendor system 80. In block 126, as client system 50 has detected that 

As described, the information contained in registration 35 registration key (T) is not received from vendor system 80 

identifier (R) is encrypted before it is transmitted, so it can or is not valid, any functionality of software 72 that is not 

be transmitted using any method, either securely or non- accessible to non-paid users remain locked or hidden, 

securely. It is to be noted that any public key cryptography algo- 

FIG. 3 illustrates the operation of vendor system 80 where rithm that can transmit arbitrary messages will work in the 

the client system 50 has transmitted registration identifier system. However, the security of the system is only as secure 

(R). as the cryptography algorithm. For public key cryptography 

In block 110, vendor system 80, upon receiving the systems, security increases as more bits are added to the key 

registration identifier (R), computes: (i.e., the key length is increased). In a preferred embodiment, 

the key length is at least 512 bits. 

In order to prevent an attacker from trying to break the 

m^d^r) 45 licensing scheme by modifying the executable code con- 

ffllfucc-M taining the check which disables functionality, several alter- 

* ~ nate embodiments are proposed, 

where R is the registration code; M is the one-way hashed First > a11 debu S information should be removed from any 

machine identifier with private user data appended, recov- executable before distribution. This makes it harder for the 

ered by decrypting R (this is split into two parts to recover 50 attacker to follow the flow of control which checks the 

H(U) and CC); ) is decryption procedure 88; and kjs registration code 

the secret private key 94 Second, multiple places in the code can check for the 

t li i in .i. ■ / ■ c . j. existence of a correct registration key (T). This makes it 

In block 112 he private user information (CC), is used to ^ tQ the registration checks, 

verity payment for the software. This verification can be as ^ the registration checking code can be obfuscated, 

simple as processing a credit card transacts or venfying 55 m » foUow ^ J ^ ^ 

that the user has sent in payment. v . j u ,l . 1,1 l . tr «• 

y »i i 1.1 /. . • . i , . on complicated enough that it would be more cost effective to 

In block 114, after payment is received, vendor system 80 , \ . %. in 

will e e ate- J ust license the software legally. 

® n r Fourth, for even more security, the software itself could be 

encrypted with the private key and loaded, decrypted and 

T-EfjHQV)) 60 mn ^inS a sec °nd loader program. This method would be 

secure against all but the dumping of the binary image of the 

where E^() is encryption procedure 92 and T is the generated running executable out to a disk file and reconstructing a 

registration key. executable program file from a binary image. 

It is to be noted that as registration key (T) is based on a For maximum security, the operating system (OS) itself 

machine identifier which is unique for client system 50, even 65 could be enhanced to only execute encrypted executable 

if registration key (T) is compromised, it could not be used files. The OS would be shipped with the decryption key, but 

for another machine. the encryption key would remain secret. To execute a 
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program, it would have to be decrypted by the internal OS 
key. Since only the OS manufacturer would have the encryp- 
tion key, only programs encrypted by the OS manufacturer 
could be run. Obviously, this level of security would affect 
the way that software could be written and used. However 5 
some usage models, such as game machines where most 
software comes from one manufacturer and no software is 
written on the executing machine itself, could use this 
security method. 

In one alternate embodiment, time-limited licenses can be 3Q 
granted. Instead of simply decrypting and re-encrypting the 
unique machine identifier, an expiration date is added to the 
message. When client system 50 checks registration key (T), 
client system 50 also decrypts the expiration date and checks 
if the license has expired. 

In the alternate embodiment, the following functions 35 
would be used on vendor system 80: 

20 

H(U)+CC=M 

Where: R is the registration code; M is the one-way hashed 
machine identifier with private user data appended, recov- 25 
ered by decrypting R (this is split into two parts to recover 
H(U) and CC); V is the expiration date; E k ( ) is the 
encryption procedure; ) is the decryption procedure; k, 
is the secret, private key; and, T is the generated registration 
key. 30 

In addition, on client system 50, the following function 
would be used: 



Dk p (T)=K, V ^ 

and a check performed to determine if the two following 
conditions hold true: 

and, 

V has not expired, where: D*( ) is the decryption proce- 
dure; k p is the published, public key; H( ) is the one-way 
hash function; U is the machine unique identifier; T is the 
registration key; K is the machine identifier portion of the 45 
decrypted registration key; and V is the expiration date 
portion of the decrypted registration key. 

It is to be noted that the unique identifier does not have to 
be hashed before being transmitted. In addition, no private 
information has to be appended for payment purposes. In 50 
another alternate embodiment, only the unique identifier is 
transmitted. 

In yet another alternate embodiment, the unique identifier, 
U, is not machine specific but specific in another way, such 
as user or binary specific. A software distribution site could 5S 
be set up to download executables that are identical except 
for an internal identifier. 

Alternatively, the software could be distributed with an 
installation program that set the executable 's internal unique 
ID to some time or location specific value. Each user would 
get an equivalent binary file that required a different regis- 60 
tration key, but the registration process and key verification 
would be exactly as in the basic system. This would allow 
a user to install the software on multiple machines but not 
share the registration key with other users. If the unique 
identifier could be something person specific, such as a 65 
fingerprint, a voice print, or a handwriting signature, this 
alternate embodiment could be very attractive. 



,567 Bl 

8 

Using electronic "money", the entire process could be 
automated, A Web server could process the payment with the 
registration identified and send the registration key back to 
the user (all over a secure channel such as Secure Socket 
Layer) within a single transaction. 

While the present invention has been particularly 
described with reference to the various figures, it should be 
understood that the figures are for illustration only and 
should not be taken as limiting the scope of the invention. 
Many changes and modifications may be made to the 
invention, by one having ordinary skill in the art, without 
departing from the spirit and scope of the invention. 

What is claimed is: 

1. A method comprising: 

receiving an encrypted registration identifier for a client, 
said registration identifier contains an one-way hashed 
value of a machine unique identifier for said client, said 
registration identifier being encrypted using a public 
key; 

decrypting said registration identifier using a private key 

that is matched to said public key to retrieve the 

one-way hashed value; 
generating a registration key based on said registration 

identifier by encrypting the retrieved one-way hashed 

value; and 

transmitting said registration key to said client. 

2. The method of claim 1 wherein said registration 
identifier further contains user payment information. 

3. The method of claim 2, further comprising decrypting 
said registration identifier to retrieve said user payment 
information. 

4. The method of claim 3, further comprising verifying 
payment using said user payment information. 

5. The method of claim 1 farther comprising retrieving the 
one-way hashed value from said registration key by the 
client; and 

comparing the client retrieved one-way hashed value to a 
client generated one-way hashed value. 

6. The method of claim 1, wherein said generating further 
comprises encrypting the one-way hashed value along with 
an expiration time indicator. 

7. A method comprising: 
determining a machine unique identifier; 

generating an one-way hashed value of said machine 

unique identifier; 
encrypting said one-way hashed value of said machine 

unique identifier to generate a registration identifier 

using a public key of a server; 
transmitting said registration identifier to said server; 
receiving a registration key from the server, the registra- 
tion key contains an encrypted form of the one-way 

hashed value retrieved by the server; 
retrieving by a client the one-way hashed value from the 

registration key; and 
comparing the client retrieved one-way hashed value to a 

client-generated one-hashed value. 

8. A method comprising: 
receiving a registration key; 

storing said registration key in memory; 

retrieving a one-way hashed value of a machine unique 

identifier from said registration key; 
generating a one-way hashed value of a machine unique 

identifier from said client; 
comparing said retrieved one-way hashed value of said 

machine unique identifier with said generated one-way 

hashed value of said machine unique identifier; and, 
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providing a software enable signal only if said retrieved 
one-way hashed value of said machine unique identifier 
is equal to said generated one-way hashed value of said 
machine unique identifier. 

9. The method of claim 8, further comprising: 
retrieving an expiration time indicator from said registra- 
tion key; and, 

eliminating the provision of said software enable signal if 
said expiration time indicator indicates that said regis- 
tration key has expired. 

10. An apparatus comprising: 
a processor; 

a memory coupled to said processor and configured with 
instructions to cause said processor to: 

receive an encrypted registration identifier for a client, 
said registration identifier contains an one-way hashed 
value of a machine unique identifier for said client, said 
registration identifier being encrypted using a public 
key; 

decrypt said registration identifier using a private key that 
is matched to said public key, to retrieve the one-way 
hashed value; 

generate a registration key based on said registration 
identifier by encrypting the one-way hashed value 
retrieved from said registration identifier; and, 

transmit said registration key to said client. 

11. The apparatus of claim 10, wherein said registration 
identifier contains an one-way hashed value of a machine 
unique identifier for said client. 

12. The apparatus of claim 10 wherein said registration 
identifier further contains user payment information. 

13. The apparatus of claim 12, where said memory 
contains further instructions configured to cause said pro- 
cessor to decrypt said registration identifier to retrieve said 
user payment information. 

14. The apparatus of claim 13 where said memory con- 
tains further instructions configured to cause said processor 
to verify payment using said user payment information. 

15. The apparatus of claim 10, where, to generate said 
registration key based on said registration identifier, said 
memory contains further instructions configured to cause 
said processor to encrypt the retrieved one-way hashed value 
along with an expiration time indicator. 

16. An article of manufacture comprising: 

a machine -readable medium having instructions which, 
when executed by a machine, cause the machine to 

receive an encrypted registration identifier for a client, 
said registration identifier contains a one-way hashed 
value of a machine unique identifier for said client, said 
registration identifier being encrypted using a public 
key; 
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decrypt said registration identifier using a private key that 
is matched to said public key to retrieve the one-way 
hashed value; 

generate a registration key based on said registration 
identifier by encrypting the retrieved one-way hashed 
value into the registration key; and 

transmit said registration key to said client after verifying 
payment. 

17. The article of manufacture of claim 16 wherein the 
machine-readable medium includes further instructions 
which cause the machine to process a user payment, based 
upon user payment information retrieved from the registra- 
tion identifier, before transmitting the registration key. 

18. The article of manufacture of claim 17 wherein the 
machine readable medium includes further instructions 
which cause the machine to include an expiration time 
indicator when generating the registration key. 

19. An article of manufacture comprising: 

a machine-readable medium having instructions which, 
when executed by a client machine, cause the machine 
to 

(a) determine a machine unique identifier for said 
machine; 

(b) generate a one-way hashed value of said machine 
unique identifier; 

(c) encrypt said one-way hashed value to generate a 
registration identifier using a public key of a server; 

(d) transmit said registration identifier to said server; 

(e) receive a registration key from the server, the regis- 
tration key contains an encrypted form of the one-way 
hashed value; 

(f) retrieve the one-way hashed value from the registration 
key; 

(g) determine a machine unique identifier for said 
machine and generate a one-way hashed value thereof; 
and 

(h) compare the retrieved one-way hashed value in (f) to 
the one-way hashed value in (g). 

20. The article of manufacture of claim 19 wherein the 
machine-readable medium includes further instructions 
which cause the machine to provide a software enable signal 
only if the comparison in (h) indicates that the one-hashed 
value retrieved in (f) is equal to the one generated in (g). 

21. The article of manufacture of claim 20 wherein the 
machine-readable medium includes further instructions 
which cause the machine to retrieve an expiration time 
indicator from the registration key, and not provide the 
enable signal if the expiration time indicator indicates that 
the registration key has expired. 



06/08/2004, EAST Version: 1.4.1 



